feat: add pam.d restricting su binary, add more modules to be disabled, add grub commandline options for security
This commit is contained in:
Lorenzo Tucci
parent
31ff66c2d2
commit
dddf1a381c
10 changed files with 142 additions and 5 deletions
5
grub/grub
Normal file
5
grub/grub
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# These rules are not meant to be copied and pasted as there will
|
||||
# likely be other options enabled on your machine.
|
||||
# Instead add them to the already existing ones in your /etc/default/grub
|
||||
# remove ipv6 disable at the end if needed
|
||||
GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1"
|
||||
6
modprobe/etc/modprobe.d/disable-network-filesystems.conf
Normal file
6
modprobe/etc/modprobe.d/disable-network-filesystems.conf
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
# Disable only if not used
|
||||
install cifs /bin/true
|
||||
install nfs /bin/true
|
||||
install nfsv3 /bin/true
|
||||
install nfsv4 /bin/true
|
||||
install gfs2 /bin/true
|
||||
7
modprobe/etc/modprobe.d/disable-rare-filesystems.conf
Normal file
7
modprobe/etc/modprobe.d/disable-rare-filesystems.conf
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
install cramfs /bin/false
|
||||
install freevxfs /bin/false
|
||||
install jffs2 /bin/false
|
||||
install hfs /bin/false
|
||||
install hfsplus /bin/false
|
||||
install squashfs /bin/false
|
||||
install udf /bin/false
|
||||
|
|
@ -1,4 +1,19 @@
|
|||
install dccp /bin/true
|
||||
install sctp /bin/true
|
||||
install rds /bin/true
|
||||
install tipc /bin/true
|
||||
install dccp /bin/false
|
||||
install sctp /bin/false
|
||||
install rds /bin/false
|
||||
install tipc /bin/false
|
||||
install n-hdlc /bin/false
|
||||
install ax25 /bin/false
|
||||
install netrom /bin/false
|
||||
install x25 /bin/false
|
||||
install rose /bin/false
|
||||
install decnet /bin/false
|
||||
install econet /bin/false
|
||||
install af_802154 /bin/false
|
||||
install ipx /bin/false
|
||||
install appletalk /bin/false
|
||||
install psnap /bin/false
|
||||
install p8023 /bin/false
|
||||
install p8022 /bin/false
|
||||
install can /bin/false
|
||||
install atm /bin/false
|
||||
|
|
|
|||
1
modprobe/etc/modprobe.d/disable-vivid.conf
Normal file
1
modprobe/etc/modprobe.d/disable-vivid.conf
Normal file
|
|
@ -0,0 +1 @@
|
|||
install vivid /bin/false
|
||||
13
pam/etc/pam.d/rocky-linux/su
Normal file
13
pam/etc/pam.d/rocky-linux/su
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
#%PAM-1.0
|
||||
auth required pam_env.so
|
||||
auth sufficient pam_rootok.so
|
||||
# Uncomment the following line to require a user to be in the "wheel" group.
|
||||
auth required pam_wheel.so use_uid
|
||||
auth substack system-auth
|
||||
auth include postlogin
|
||||
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
|
||||
account include system-auth
|
||||
password include system-auth
|
||||
session include system-auth
|
||||
session include postlogin
|
||||
session optional pam_xauth.so
|
||||
7
pam/etc/pam.d/rocky-linux/su-l
Normal file
7
pam/etc/pam.d/rocky-linux/su-l
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
#%PAM-1.0
|
||||
auth include su
|
||||
account include su
|
||||
password include su
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include su
|
||||
auth required pam_wheel.so use_uid
|
||||
59
pam/etc/pam.d/ubuntu/su
Normal file
59
pam/etc/pam.d/ubuntu/su
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
#
|
||||
# The PAM configuration file for the Shadow `su' service
|
||||
#
|
||||
|
||||
# This allows root to su without passwords (normal operation)
|
||||
auth sufficient pam_rootok.so
|
||||
|
||||
# Uncomment this to force users to be a member of group root
|
||||
# before they can use `su'. You can also add "group=foo"
|
||||
# to the end of this line if you want to use a group other
|
||||
# than the default "root" (but this may have side effect of
|
||||
# denying "root" user, unless she's a member of "foo" or explicitly
|
||||
# permitted earlier by e.g. "sufficient pam_rootok.so").
|
||||
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
|
||||
auth required pam_wheel.so
|
||||
|
||||
# Uncomment this if you want wheel members to be able to
|
||||
# su without a password.
|
||||
# auth sufficient pam_wheel.so trust
|
||||
|
||||
# Uncomment this if you want members of a specific group to not
|
||||
# be allowed to use su at all.
|
||||
# auth required pam_wheel.so deny group=nosu
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restrainst on su usage.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables are also kept into /etc/default/locale in etch
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
#
|
||||
# "nopen" stands to avoid reporting new mail when su'ing to another user
|
||||
session optional pam_mail.so nopen
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
session required pam_limits.so
|
||||
|
||||
# The standard Unix authentication modules, used with
|
||||
# NIS (man nsswitch) as well as normal /etc/passwd and
|
||||
# /etc/shadow entries.
|
||||
@include common-auth
|
||||
@include common-account
|
||||
@include common-session
|
||||
7
pam/etc/pam.d/ubuntu/su-l
Normal file
7
pam/etc/pam.d/ubuntu/su-l
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
#%PAM-1.0
|
||||
auth include su
|
||||
account include su
|
||||
password include su
|
||||
session optional pam_keyinit.so force revoke
|
||||
session include su
|
||||
auth required pam_wheel.so
|
||||
|
|
@ -23,18 +23,35 @@ net.ipv4.conf.all.forwarding = 0
|
|||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.all.mc_forwarding = 0
|
||||
net.ipv4.conf.all.proxy_arp = 0
|
||||
net.ipv4.conf.all.rp_filter = 0
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.all.secure_redirects=0
|
||||
net.ipv4.tcp_rfc1337=1
|
||||
net.ipv4.tcp_sack=0
|
||||
net.ipv4.tcp_dsack=0
|
||||
net.ipv4.tcp_fack=0
|
||||
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv4.conf.default.log_martians = 1
|
||||
net.ipv4.conf.default.rp_filter=1
|
||||
net.ipv4.conf.default.send_redirects=0
|
||||
net.ipv4.conf.default.secure_redirects=0
|
||||
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
dev.tty.ldisc_autoload=0
|
||||
vm.unprivileged_userfaultfd=0
|
||||
kernel.kexec_load_disabled=1
|
||||
kernel.perf_event_paranoid=2
|
||||
kernel.yama.ptrace_scope=2
|
||||
|
||||
vm.mmap_rnd_bits=32
|
||||
vm.mmap_rnd_compat_bits=16
|
||||
|
||||
# Uncomment do disable ipv6
|
||||
#net.ipv6.conf.all.disable_ipv6=1
|
||||
#net.ipv6.conf.default.disable_ipv6=1
|
||||
|
|
|
|||
Loading…
Reference in a new issue